23andMe has agreed to pay $18 million to settle claims stemming from its genetics data breach, according to BleepingComputer. The settlement follows the 2023 credential-stuffing incident that exposed sensitive genetic and ancestry data for millions of users, information that by its nature cannot be reset, rotated, or reissued the way a password can.
This is the second act of a pattern that plays out whenever a company sits on irreplaceable personal data without treating it as a liability: the breach itself is only the opening cost. The real bill arrives later, in the form of regulatory settlements, class actions, and reputational rot that outlasts the news cycle. 23andMe's exposure was compounded by weak account security (no mandatory MFA, reused-credential exposure) at a company whose entire value proposition depended on customers trusting it with the most permanent data set that exists about them. Once that trust breaks, there's no patch that fixes it -- only settlements that price it after the fact.
The SAL read: if your business holds data customers can never change once it leaks -- biometric, genetic, health -- your security spend should be sized to that permanence, not to your revenue.